OWA Phish – a new vector (2)

Here are some technical details to expand on the previous post from Darya.

1. The Spam

According to our preliminary research, the spam emails which attacked OWA users, including Kaspersky, were sent using the pushdo botnet – which is based on malware from the Backdoor.Win32.NewRes family. These Trojans spread via spam, social networks (in conjunction with the Koobface family) and through hacked websites.

The spam emails link to a phishing webpage which is registered to 15 dynamic IP addresses located in separate IP sectors and which are constantly changing.

2. The Phish

An analysis of the phishing site proves that the criminals are using rock phishing techniques – typical rock phish structure and together with dynamic content which morphs to target users from the domain under attack.

3. The Trojan

This OWA phishing attack is spreading a variant of Trojan-Spy.Win32.Zbot – a Trojan which steals passwords fstored on the infected machines; specifically passwords to local applications, passwords to websites etc. The Trojan also has keyboard logger functionality. Finally, this Zbot can also download other malware if required. In this instance, the command and control center is located in the Ukraine.


This particular attack is using well-known methods overall. The notable features of the attack are the domain name spoofing and the creation of a phishing site which mimics OWA pages. The rest is as usual.

OWA Phish – a new vector (2)

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox